What is a Rootkit?
A common rootkit definition is a type of malware program that enables cyber criminals to gain access to and infiltrate data from machines without being detected.
It covers software toolboxes designed to infect computers, give the attacker remote control, and remain hidden for a long period of time. As a result, rootkits are one of the most difficult malware strands to discover and remove, and are frequently used to eavesdrop on users and launch attacks on machines.
Rootkit malware can contain multiple malicious tools, which typically include bots to launch distributed denial-of-service (DDoS) attacks; software that can disable security software, steal banking and credit card details, and steal passwords; and keystroke loggers. A rootkit usually provides an attacker with a backdoor into a machine, which gives them access to the infected computer and enables them to change or remove software and components when they choose.
Types of Rootkits
Rootkits can be installed through several methods, but they typically target a vulnerability in a machine’s operating system (OS) or application on the machine. Attackers will target known vulnerabilities and use exploit code to attack a machine, then install a rootkit and other components that give them remote access.
Another common rootkit installation method is through infected universal serial bus (USB) drives that attackers leave in public places in the hope that unwitting victims will pick them up and plug them into a machine. The malware hidden on a USB drive will then install as part of an application or file that appears to be legitimate.
However, rootkits are not only used for malicious purposes. They are also used by organizations and law enforcement to monitor employees, which enable them to investigate machines and counter possible cyber threats.
There are several rootkit virus types that give attackers different routes into computers and enable them to steal data from users.
A firmware rootkit, also known as a hardware rootkit, typically aims to infect a computer’s hard drive and basic input/output system (BIOS), the software installed onto a small memory chip in the motherboard. Some firmware rootkits can be used to infect a user’s router, as well as intercept data written on hard disks.
A bootloader is an important element of any computer and is central to a machine booting up. The special OS software loads in the memory of a computer after it starts up and is typically launched by a compact disc (CD) or digital versatile disc (DVD), hard drive, or USB stick, which tells the BIOS where the bootloader is. A bootloader toolkit attacks this system by replacing a machine’s bootloader with a hacked version.
A bootloader rootkit infects the master boot record or volume boot record, which means it does not show up in users’ standard file systems. This makes it extremely difficult for the rootkit to be detected by anti-rootkit and antivirus software. It may also modify boot records, which could damage a machine when removed.
A memory rootkit hides in a machine’s random access memory (RAM), the hardware that enables data to be received and stored on a computer. These rootkits only have short lifespans, but they can carry out extremely harmful activity in the background of a machine.
Memory rootkits live in a machine’s RAM and typically disappear when the system is rebooted, but they can sometimes require additional work to be removed. They reduce the performance of a machine’s RAM by eating up resources with their malicious processes.
An application rootkit replaces the files on a computer with malicious rootkit files, which changes the performance of standard applications like Notepad, Paint, or Word. Every time a user runs these applications, they give the hacker access to their computer. The infected programs run as usual, which can make it difficult to detect that a rootkit is present, but they should be discovered with good anti-rootkit or antivirus programs.
Kernel Mode Rootkits
Kernel mode rootkits are pieces of advanced, complex malware that target a machine’s OS. They give an attacker simple access to a machine, enabling them to steal data and modify how the OS works by adding, deleting, or replacing its code.
Creating a kernel mode rootkit requires significant technical knowledge, which means if it has bugs or glitches, then it could have a huge impact on the infected machine’s performance. However, a kernel rootkit laden with bugs is easier to detect as it leaves a trail for anti-rootkit or antivirus software.
These rootkit types have been used to create devastating attacks, including:
- NTRootkit: One of the first malicious rootkits created, which targeted the Windows OS.
- Machiavelli: The first rootkit to target the Mac OS. The 2009 Machiavelli rootkit attack created hidden kernel threads and hidden systems within Mac machines.
- Zeus: A Trojan horse attack launched in 2007 that targeted banking information using a man-in-the-browser (MITB) attack method, alongside form grabbing and keystroke logging.
- Stuxnet: First discovered in 2010, the first known rootkit to specifically target industrial control systems and cause the equipment they run to malfunction.
- Flame: Discovered in 2012, attacks Windows computers and can record audio, keyboard activity, network traffic, and screenshots.
- Necurs: The rootkit behind one of the biggest active botnets, which was responsible for spreading huge ransomware attacks like the Locky spam and Dridex financial malware. Necurs protects other malware strands, enslaving a machine to the botnet and ensuring the infection cannot be removed.
- ZeroAccess: The rootkit malware that created the ZeroAccess botnet, which eats up resources while mining for Bitcoin and spamming users with ads. The botnet contained up to 2 million machines, most of which was taken down by various security firms and agencies. However, variations of ZeroAccess are still available and active.
Detecting Rootkits - What is a Rootkit Scan?
A rootkit scan is the most effective method for users and organizations to detect rootkit infections. Rootkits are typically difficult for a machine's OS to detect as they are designed to camouflage themselves within a user’s system. As a result, antivirus solutions that can perform rootkit scans are often required to discover the malware.
Rootkit scans search for known attack signatures. One way they go about finding malware is through memory dump analysis, which discovers the instructions that a rootkit executes in a machine’s memory. Another method rootkit scans use is behavioral analysis, which searches for rootkit-like behaviors rather than the rootkit itself. This method is capable of alerting users to the presence of a rootkit before they become aware that they are under attack.
Rootkit Protection and Removal
Rootkits are one of the most difficult malware programs to remove from infected machines. As a result, there is no guaranteed method for recovering a machine infiltrated by a rootkit, but there are steps that users and organizations can take to protect their computers and remove the malware.
Once a rootkit has been detected, the following process should be followed to remove it:
- Back up vital data: The rootkit’s reaction upon removal is unpredictable, and it may have defensive measures built in that could affect or damage the machine’s performance. Back up any important data and files that need to be retained from the machine.
- Boot up in safe mode: Many rootkits attempt to prevent a user from installing security solutions or removing the malware. In this case, restart the machine in safe mode with networking to limit the rootkit’s access by pressing F8 in the Windows boot screen.
- Use multiple rootkit scan tools: The wide range of rootkit families means that not all rootkit scans will be capable of discovering them. It is therefore important to use a combination of scanners that offer different capabilities.
- Freeze remaining malware: Removing the rootkit alone may not always guarantee that the machine is clean. It may have been infected by other malware that remains active or designed to evade rootkit scans. Other security solutions can freeze any malware that remains on the system, which enables malware removal programs to clean up any malicious software.
- Advanced rootkit removal: Some rootkit types are particularly difficult to remove. For example, a firmware or hardware rootkit is unlikely to be removed by standard rootkit scans, and the user may need to back up and wipe their data from the machine and reinstall the OS. However, in the case of a rootkit targeting the BIOS, even a wipe and a reinstall may not be enough to remove the malicious software. This may require the BIOS drive to be wiped and replaced along with a hard reset of the machine.
Preventing Rootkit Infections
Rootkits can be extremely difficult to remove, but they can be prevented from infecting machines in the same way as other forms of malware. Basic steps to follow to avoid rootkit infection include:
- Phishing awareness: Phishing attacks are one of the most common methods for infecting machines with malware. An attacker spams a list of email addresses with messages that appear to be legitimate but contain malicious attachments or links that they can use to infiltrate the user’s machine. It is therefore vital for end-users to be aware of common phishing attack tactics, always check a sender’s email address, and never follow links directly from email messages.
- Software updates: Software that is outdated or has reached the end of its life will no longer be supported by the publisher. This makes the program or system more vulnerable to attacks that infect them with malware like rootkits. Updating software at all times and ensuring it is set to automatically update is one of the best defenses against rootkits.
- Use antivirus solutions: Antivirus software alone is not a solid defense against cyberattacks. However, antivirus systems as part of an overarching security solution are integral to the fight against malware and help users discover the presence of rootkits.
- Scan and filter network traffic: In addition to antivirus systems, use traffic filtering software to monitor and scan the traffic coming in and out of networks at all times. This software scans inbound and outbound traffic to detect malware before it can infiltrate machines.
How Fortinet Can Help
Fortinet enables organizations to protect their networks and systems from potential attacks with the FortiGate next-generation firewalls (NGFWs). The Fortinet NGFWs protect organizations by providing full visibility of all traffic going in and out of their networks and automatically eliminating threats.
FortiGate inspects traffic at hyperscale, offering unparalleled performance, scale, and speed to ensure only legitimate traffic can reach business systems, without affecting user experience or creating downtime. FortiGate NGFWs also integrate with the Fortinet artificial intelligence-driven tools FortiGuard and FortiSandbox, which protect organizations from both known and new, emerging threats.
The Fortinet NGFWs are crucial to organizations that want to achieve digital transformation as they protect every edge and application at scale. They automate workflows, improve operational efficiency, and deliver best-of-breed protection against advanced threats.
What is a Rootkit Attack?
A rootkit attack occurs when a piece of malicious software infiltrates a computer, enabling an attacker to gain access and control of the machine and steal data from it. Rootkits are designed to evade detection and can remain hidden on machines for a long period of time. A rootkit often contains multiple tools, such as bots, keystroke loggers, and software that steals banking details and passwords.
How are Rootkits Detected?
Rootkits can be detected through a rootkit scan, which is typically part of antivirus solutions. They search for known attack signatures and rootkit behaviors.
Is Rootkit a virus?
No, a rootkit is not a virus. Computer viruses are programs or pieces of code that damage machines by corrupting files, destroying data, or wasting resources. A rootkit is a type of malware that infects a machine and enables an attacker to perform actions or steal data.